I found a few worrying bits of code on a client’s instance.
He had version 5.2.3 of “Quick Page/Post Redirect” installed. But neither in the plugin repo nor in the SVN did I find a corresponding version. My first thought was that it must be an external attack.
However, the code in question made the following call (when requestet as the googlebot) and placed the content received in front of
What I find quite worrying is that the content is dependent on the user agent. So the links are only loaded when the call is made by the Googlebot. This makes it quite difficult to identify.
Since anadnet.com belongs to the developer of the plugin, I wonder if this is malicious code deliberately smuggled in to earn a few dollars via a search engine network.
@anadnet , could I get a statement from you on that?
- The topic ‘possibly malicious code?’ is closed to new replies.